summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCristian Stoica <cristian.stoica@freescale.com>2014-09-23 10:44:40 (GMT)
committerMatthew Weigel <Matthew.Weigel@freescale.com>2014-12-11 18:41:02 (GMT)
commit93471b68954c1b81d1099461cb724046c9a5bca9 (patch)
treed7239909afab1e4f8d029999ca1a3ede45c6098c
parente8b69435af3cb76513b95e7ba7d817b2325089ba (diff)
downloadlinux-fsl-qoriq-93471b68954c1b81d1099461cb724046c9a5bca9.tar.xz
crypto: caamctrl: fix array out of bound access
desc_len(desc) returns a result masked by a seven bits mask representing a descriptor length. The maximum length is 64 u32 words but masking allows for larger but incorrect values. This fix adds a bound check to the index of deco.descbuf array (which is smaller than the maximum of 64 words), to avoid invalid memory accesses. (based on commit 05dbe2ed7da7d67cfd8915382c2559db684a0a29) Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com> Signed-off-by: Matthew Weigel <matthew.weigel@freescale.com> Change-Id: I05dbe2ed7da7d67cfd8915382c2559db684a0a29 Conflicts: drivers/crypto/caam/ctrl.c Reviewed-on: http://git.am.freescale.net:8181/19805 Tested-by: Review Code-CDREVIEW <CDREVIEW@freescale.com> Reviewed-by: Matthew Weigel <Matthew.Weigel@freescale.com>
-rw-r--r--drivers/crypto/caam/ctrl.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
index 17c4cb9..9ea5005 100644
--- a/drivers/crypto/caam/ctrl.c
+++ b/drivers/crypto/caam/ctrl.c
@@ -76,6 +76,7 @@ static void build_deinstantiation_desc(u32 *desc, int handle)
* Return: - 0 if no error occurred
* - -ENODEV if the DECO couldn't be acquired
* - -EAGAIN if an error occurred while executing the descriptor
+ * - -EINVAL if the descriptor length is incorrect
*/
static inline int run_descriptor_deco0(struct device *ctrldev, u32 *desc,
u32 *status)
@@ -85,7 +86,7 @@ static inline int run_descriptor_deco0(struct device *ctrldev, u32 *desc,
struct caam_deco __iomem *deco = ctrlpriv->deco;
unsigned int timeout = 100000;
u32 deco_dbg_reg, flags;
- int i, ret;
+ int i, ret, dlen;
if (ctrlpriv->virt_en == 1) {
@@ -110,7 +111,14 @@ static inline int run_descriptor_deco0(struct device *ctrldev, u32 *desc,
goto out_err;
}
- for (i = 0; i < desc_len(desc); i++)
+ dlen = desc_len(desc);
+ if (dlen > MAX_CAAM_DESCSIZE) {
+ dev_err(ctrldev, "invalid descriptor length\n");
+ ret = -EINVAL;
+ goto out_err;
+ }
+
+ for (i = 0; i < dlen; i++)
wr_reg32(&deco->descbuf[i], *(desc + i));
flags = DECO_JQCR_WHL;
@@ -118,7 +126,7 @@ static inline int run_descriptor_deco0(struct device *ctrldev, u32 *desc,
* If the descriptor length is longer than 4 words, then the
* FOUR bit in JRCTRL register must be set.
*/
- if (desc_len(desc) >= 4)
+ if (dlen >= 4)
flags |= DECO_JQCR_FOUR;
/* Instruct the DECO to execute it */
@@ -169,6 +177,7 @@ out_err:
* - -EAGAIN if an error occurred when executing the descriptor
* f.i. there was a RNG hardware error due to not "good enough"
* entropy being aquired.
+ * - -EINVAL if the descriptor length is incorrect
*/
static int instantiate_rng(struct device *ctrldev, int state_handle_mask,
int gen_sk)
@@ -199,7 +208,8 @@ static int instantiate_rng(struct device *ctrldev, int state_handle_mask,
/* Try to run it through DECO0 */
ret = run_descriptor_deco0(ctrldev, desc, &status);
-
+ if (ret)
+ break;
/*
* If ret is not 0, or descriptor status is not 0, then
* something went wrong. No need to try the next state
@@ -237,6 +247,7 @@ static int instantiate_rng(struct device *ctrldev, int state_handle_mask,
* - -ENOMEM if there isn't enough memory to allocate the descriptor
* - -ENODEV if DECO0 couldn't be acquired
* - -EAGAIN if an error occurred when executing the descriptor
+ * - -EINVAL if the descriptor length is incorrect
*/
static int deinstantiate_rng(struct device *ctrldev, int state_handle_mask)
{